The saga surrounding the St. Louis Cardinals hacking scandal concluded with the issuance of a final punishment from MLB. The scandal stemmed from the actions of the former Cardinals scouting director Chris Correa, after he illegally accessed the e-mail accounts of members of the Houston Astros front office as well as their scouting database. The Cardinals were ordered to forfeit their top two selections in the upcoming 2017 amateur draft to the Astros and pay them two million dollars within 30 days. Correa was sentenced, after pleading guilty to five counts of unauthorized access to a computer, to 46 months in jail, a fine of $279,038 and was placed on MLB’s permanently ineligible list.
This case provides a great example of how not every cyber incident involves sophisticated hacking techniques. The incident arose when members of the front office for the Cardinals left for the Astros. During the transition process they were asked to turn in their work laptops and the passwords to those machines. Unfortunately, upon joining the Astros, one of the executives used a very similar password to the one he had just turned over to the Cardinals. Correa then simply tried variations of the password the executive had used with the Cardinals and by doing this gained access to their e-mail accounts and scouting database.
Creating an effective password management system involves striking a balance between security and ease of use. Requiring a long randomly generated string of letters and numbers for a password would be very secure but difficult for employees to remember. When passwords are long or constantly changing, employees are simply going to write them down next to their computer and your cybersecurity is now only as secure as your desk.
One method that can help strike the balance of security and ease of use are implementing password management applications. Companies such as LastPass, Dashlane and 1Password require an employee to only remember one strong password for their account and then use randomly generated passwords for the rest of the digital areas they access. Many of these password management applications also have enterprise applications for use throughout a company. This can be an effective way of terminating an employee’s access to company systems when they leave.
Another option is the use of 2-factor authentication for your more sensitive information systems. When using 2-factor authentication a user must possess both something they know (a password) and something they have (a phone, key fob, fingerprint, etc.) to access the account. This type of system would have prevented the method that Correa used to access the Astros system because even after guessing the password he would not have had the physical item to gain access. These two relatively simple to use methods of password management can make your systems more secure and hopefully prevent situations similar to the one that unfolded with the Cardinals and Astros.